Skip to content

Trojanised extensions in VSCode marketplace put millions at risk

  • by
  • 3 min read

Visual Studio Code (VSCode) Marketplace faces severe security vulnerabilities. Extensions laced with trojans infiltrate organisations, steal sensitive information, and evade detection in millions of devices. Over 100 organisations were compromised by a fake extension mimicking a popular theme, highlighting the urgent need for stricter security measures on the platform.

VSCode, a widely-used source code editor published by Microsoft, offers a plethora of extensions that enhance the application’s functionality and customisation options. However, several reports have emerged highlighting security gaps, such as extension and publisher impersonation, and extensions that steal developer authentication tokens with some malicious extensions have even been found active in the wild, reported Bleeping Computer.

In their recent experiment, the Israeli researchers Amit Assaraf, Itay Kruk, and Idan Dardikman, created an extension that typosuqatted the popular ‘Dracula Official’ theme, which boasts over 7 million installs on the VSCode Marketplace. The fake extension, ‘Darcula’, used the legitimate Dracula theme’s code but included an added script to collect system information and send it to a remote server.

Darcula Official malicious extensions in VSCode. | Source: Amit Assaraf

The researchers’ extension successfully bypassed endpoint detection and response (EDR) tools, as VSCode’s development and testing nature often leads to lenient security treatments.

“Unfortunately, traditional endpoint security tools (EDRs) do not detect this activity. VSCode is built to read lots of files and execute many commands and create child processes, thus EDRs cannot understand if the activity from VSCode is legit developer activity or a malicious tension,” said researcher Amit Assaraf.

Multiple high-value targets mistakenly installed the extension, including a publicly listed company with a $483 billion market cap, major security companies, and a national justice court network.

Malicious code added to Darcula extension. | Source: Amit Assaraf

Following their successful infiltration, the researchers used a custom tool, ‘ExtensionTool,’ to analyse the VSCode Marketplace’s threat landscape. Their findings were alarming:

  • 1,283 extensions with known malicious code (229 million installs).
  • 8,161 extensions communicating with hardcoded IP addresses.
  • 1,452 extensions running unknown executables.
  • 2,304 extensions using another publisher’s GitHub repo, indicating they are copycats.

The researchers have found a reverse shell in a code beautifying extension named CWL Beautifier, demonstrating how malicious extensions can open a backdoor to the cybercriminal’s server.

Cities where researchers noticed downloads of malicious extensions. | Source: Amit Assaraf

The researchers reported all detected malicious extensions to Microsoft for removal. However, most remain available for download on the VSCode Marketplace. The researchers plan to release ‘ExtensionTotal’ as a free tool soon to help developers scan their environments for potential threats.

Despite reaching out, Microsoft has yet to respond regarding their plans to improve the Marketplace’s security and address issues like typosquatting and impersonation.

In the News: Xbox unveils a new Series S and dual Series X models

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: